CVE-2024-56764
Published: 06 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails.
Security Summary
CVE-2024-56764 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ublk driver, which handles user-space block devices. The issue arises in the ublk_abort_requests() function, called during io_uring context exit or timeout handling to abort inflight requests by grabbing a reference to the gendisk. If add_disk() fails during device setup, the gendisk may already be freed, leading to a use-after-free when the function attempts to acquire its reference. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this flaw by triggering a scenario where add_disk() fails in a ublk device setup, followed by ublk_abort_requests() execution. Successful exploitation could result in high-impact consequences, including arbitrary code execution, data corruption, or kernel crashes, potentially enabling privilege escalation from a low-privilege user context.
Mitigation is addressed in upstream Linux kernel patches available in the stable tree. The fixing commits—75cd4005da5492129917a4a4ee45e81660556104 and 7d680f2f76a3417fdfc3946da7471e81464f7b41—detach the gendisk from the ublk device if add_disk() fails, preventing the use-after-free. Security practitioners should apply these patches to affected kernel versions supporting the ublk driver and monitor for updates in their distributions.
Details
- CWE(s)